September 12th, 2002, 11:37 AM
Create a logout feature
I want to create a logout button. Below is my situation:
The first time the user click on my website, he/she is required to enter password. I use this:
response.setStatus(response.SC_UNAUTHORIZED); // Ie 401
During the use of the site on the already-logged-in browser, the user doesn't have to login again. I use:
String authorization = request.getHeader("Authorization");
to get the login ID and password.
Now, I want to create the logout button. I want to reset the "Authorization" parameter in the Header to empty. What should I do?
Thanks a lot,
September 17th, 2002, 10:56 AM
I really appreciate if you lead me to some directions. I've tested so many ways but still stuck.
Thanks a ton.
September 17th, 2002, 01:17 PM
Have you tried response.setHeader("Authorization", ""); ?
September 18th, 2002, 02:33 PM
No, response.setHeader("Authorization","") does not work. I've been searching for the solution for months. It seems that it's impossible. If you guys have any ideas, I just can't say enough thanks.
I already describe the problem that I can't create a logout button. I have the same issue when I want to force the user to relogin using the same browser that's idle for 30 minutes.
for users to login their accounts. If the user's browser is idle for 30 min, I want to invalidate the user's session and force him/her to login again.
Now, when the login dialog appear, if the user click Cancel, and then refresh the page, he/she can get into the site again without having to login. It is because the request.getHeader("Authorization") returns the same pair of login and password.
I have tried response.setHeader("Authorization","") before set the WWW-Authenticate..., it doesn't work. How can I achieve this?
September 18th, 2002, 09:34 PM
From the php manual
September 20th, 2002, 12:28 PM
For a more reliable way to do this, you may want to "Roll your own" Authentication instead of using the WWW_Authenticate header to get the user and pw.
I assume since you are manually sending the Authenticate header instead of having the HTTP server do it for you, you are also manually retrieving the username and pw and comparing them yourself to a database or flat file? If so, you might be better off looking for a bean in the session and if it is not there redirecting the user to a login page. The login page submits to a servlet (could be the same one) and if they check out ok, it creates a bean of some sort and stores it in the session. At the same time you use setMaxInactiveInterval(int interval) to set the session to time out in 30 minutes or whatever.
I don't believe there is a reliable way to keep the browser from returning a previously entered username and pw to a domain it has already authenticated to. Changing the realm is a hack at best. And sending a 401 header may be ignored in the next browser release for all you know.
Hope this helps.